Dual Standard Audit SSAE 18 and ISAE 3402

Dual Standard Audit refers to the audit process in which two different standards are used simultaneously to assess the controls and processes of an organization. In the case of Dual Standard Audit of SSAE 18 and ISAE 3402, two widely recognized and accepted standards for service organization reporting are used.

SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is an auditing standard established by the American Institute of Certified Public Accountants (AICPA) for service organizations in the United States. It replaced the previous SSAE 16 standard in 2017 and provides guidance for the auditor to examine and report on controls and processes related to financial reporting, compliance, and operations.

ISAE 3402 (International Standard on Assurance Engagements No. 3402) is an international standard established by the International Auditing and Assurance Standards Board (IAASB) for service organizations outside the United States. Like SSAE 18, it provides guidance for the auditor to examine and report on controls and processes related to financial reporting, compliance, and operations.

A Dual Standard Audit of SSAE 18 and ISAE 3402 involves performing an audit of controls and processes in a service organization using both standards. This approach is often used by multinational organizations or service providers with clients in multiple countries to meet the requirements of different regulatory frameworks.

The main benefit of a Dual Standard Audit is that it provides a comprehensive assessment of the controls and processes of a service organization that is recognized by clients, regulators, and stakeholders across different geographies. It also helps organizations avoid the need for multiple audits by different standards, which can be costly and time-consuming

Overall, the Dual Standard Audit of SSAE 18 and ISAE 3402 is an effective way for service organizations to demonstrate their commitment to quality and transparency to their clients and stakeholders around the world.

How it works?

Here are some key audit outline points for a Dual Standard Audit of SSAE 18 and ISAE 3402:

• Scope and objectives of the audit: The auditor should clearly define the scope and objectives of the audit, including the areas to be audited, the testing procedures to be performed, and the reporting requirements for both SSAE 18 and ISAE 3402 standards


• Risk assessment: The auditor should perform a risk assessment to identify the key risks that may affect the organization's operations, financial reporting, and compliance processes. This should include an evaluation of the organization's internal controls over financial reporting (ICFR).


• Controls testing: The auditor should perform testing procedures to evaluate the effectiveness of the organization's controls over financial reporting, compliance, and operations. This should include both substantive testing and control testing procedures.


• Evidence gathering: The auditor should gather sufficient and appropriate evidence to support the findings and conclusions of the audit, including documentation, interviews, observations, and test results.
• Reporting: The auditor should prepare a report on the organization's controls and processes that complies with both SSAE 18 and ISAE 3402 standards. The report should include an opinion on the effectiveness of the organization's controls and any material weaknesses or deficiencies identified during the audit
• Ongoing monitoring: The auditor should recommend ongoing monitoring procedures to ensure that the organization continues to maintain effective controls and processes over time. This may include periodic audits, monitoring of key risk indicators, and other control-related activities.

Overall, a Dual Standard Audit of SSAE 18 and ISAE 3402 requires a comprehensive and systematic approach to evaluating the organization's controls and processes. The auditor should carefully plan and execute the audit to ensure that it meets the requirements of both standards and provides a thorough and accurate assessment of the organization's control environment.